Using Expressions

Network Registrar provides enhanced client-class support. You can now place a request into a client-class based on the contents of the request, without having to register the client in the client database. Also, you can now place requests in a client-class based on the number of the active leases of a subscriber, allowing limitations on the level of service offered to various subscribers. This is possible through the special DHCP options processing using expressions.

You can set the limitation on subscriber addresses based on values in the DHCP relay-agent-info option (option 82, as described in RFC 3046). These values do not need to reveal any sensitive addresses. You can create values that relate an individual to a subscriber by creating an expression that evaluates the incoming DHCPDISCOVER request packets against option 82 suboptions (remote-id or circuit-id) or other DHCP options. The expression is a series of if statements that return different values depending on what is evaluated in the packet. This, in effect, calculates the client-class in which the subscriber belongs, and limits address assignment to the scope of that client-class.

Note Expressions are not the same as DHCP extensions. Expressions are commonly used to create client identities or look up clients. Extensions (see Using Extension Points) are used to modify request or response packets. The expressions described here are also not the same as regex.

See Also

Using Expressions

•Calculating a client-class—client-class-lookup-id. This expression determines the client-class based on the contents of the incoming packet.

•Creating the key to look up in the client-entry database—client-lookup-id. This accesses the client-entry database with the key resulting from the expression evaluation.

•Creating the ID to use to limit clients of the same subscriber—limitation-id. This is the ID to use to check if any other clients are associated with this subscriber.

This kind of processing results in this scenario:

1. The DHCP server tries to get a client-class based on a client-class-lookup-id expression. If it cannot calculate the client-class, it uses the usual MAC address method to look up the client.

2. If the server can calculate the client-class, it determines if it needs to do a client-entry lookup, based on evaluating a client-lookup-id expression that returns a client-lookup-id. If it has such an ID, it uses it to look up the client. If it does not have such an ID, it uses the calculated client-class value to assign addresses.

3. If the server uses the client-lookup-id and finds a client-entry, it uses the data for the client. If it cannot find a client-entry, it uses the calculated or default client-class data.

You set the upper limit on assigned addresses to clients on a network or LAN segment having an identical limitation-id value on the policy level. Set this upper limit as a positive integer using the limitation-count attribute for the policy.

The values to set for limiting IP addresses to subscribers are:

•For a policy, set the limitation-count attribute to a positive integer.

•For a client-class, set the limitation-id and client-lookup-id attributes to an expression, and set the over-limit-client-class-name attribute to a client-class.

•For a client, set the over-limit-client-class-name attribute to a client-class.

Entering Expressions

You can include simple expressions as such in the attribute definition, or include more complex ones in an expression file and reference the file in the attribute definition. Either way, the maximum allowable characters is 16 KB.

Simple expressions must adhere to these rules when you enter them in the CLI:

•They must be limited to a single command line.

•The entire expression must be enclosed in double quotes ("").

•Embedded double quotes must be escaped with a backslash (\).

Here is an example of a simple expression to set the client-class-lookup-id:

"\"limit\""

Here is a slightly more extensive example to set the client-class limitation-id:

"(request option 82 \"circuit-id\")"

You must enter any more complex expressions, that are not limited to one line or that you want to format for comprehension, in a file and reference it in the attribute definition prefixed by the "at" symbol (@):

@cclookup.txt

The syntax of the expression in the file does not have the extra requirements (as to spacing and escaping of characters) of the simple expression. It can also include comment lines, prefixed by the pound sign (#), double-slash (//), or a semicolon (;), and terminated at the end of line.

The or function in the example ensures that if the packet was not relayed or if the relay agent did not add the option, then the server assumes the client to be a CPE and not a cable modem (CM).

Creating Expressions

Using DHCP expressions, you can retrieve, process, and make decisions based on data in incoming DHCP packets. You can use them for determining the client-class of an incoming packet, and create the equivalence key for option 82 limitation support. They provide a way to get information out of a packet and individual options, a variety of conditional functions to allow decisions based on information in the packet, and data synthesis capabilities where you can create a client-class name or key.

Refer to this file to use the expression to set the client-class lookup ID for the server:

nrcmd> dhcp set client-class-lookup-id=@cclookup.txt

You can generate a limitation key by trying to get the remote-id suboption from option 82, and if unable, to use a standard MAC blob key. Include an expression in a file and set the limitation ID to it in the cclimit.txt file:

This example compares the remote-id suboption of the relay-agent-info option (option 82) with the MAC address in the packet, and if they are the same, returns "cm-client-class," and if they are different, returns "cpe-client-class." (If the expression cannot evaluate the data, the try function returns a "<none>" value—see the "Expressions Can Fail" section.) The intent is to determine if the device is a cable modem (where, presumably, the remote-id equals the MAC address) and, if so, put it into a separate client-class than the customer premise equipment or PC. Note that both functions and literals are expressions. The previous example shows a function as an expression. For literals, see the "Literals in Expressions" section.

Expression Datatypes

The datatypes that expressions support are:

•Blob—Counted series of bytes, with a minimum supported length of 1 KB.

•String—Counted series of NVT ASCII characters, not terminated by a zero byte, with a minimum supported length of 1 KB.

•Signed integer—32-bit signed integer.

•Unsigned integer—32-bit unsigned integer.

Note that there is no IP address datatype; an IP address is a 4-byte blob. All numbers are in network byte order. See the "Datatype Conversions" section.

Literals in Expressions

A variety of literals are included in the expression capability:

•Signed integers—Normal numbers that must fit in 32 bits.

•Unsigned integers—Normal unsigned numbers that must fit in 32 bits.

•Blobs—Hex bytes separated by colons. For example, 01:02:03:04:05:06 is a 6-byte blob with the bytes 1 through 6 in it. This is distinct from "01:02:03:04:05:06" (a 17-byte string). The string is related to the blob by being the text representation of the blob. For example, the expression (to-blob "01:02:03") returns the blob 01:02:03. Note that you cannot create a literal representation of a one-byte blob, as 01 will turn into an integer. To get a one-byte blob containing a 1, you would use the expression (substring (to-blob 1) 3 1). The 3 indicates the offset to extract the fourth byte of the 4-byte integer (00:00:00:01), with the 1 being the number of bytes extracted, with a result of "01."

•String—Characters enclosed in double quotes. For example, "example.com" is a string, as is "01:02:03:04:05:06." To place a quote in a literal string, escape it with a backslash (\), for example:

"this has one \"quote"

Integer literals (signed and unsigned) are assumed to be in base10. If they start with a 0, they are considered octal; if they start with 0x, they are considered hexadecimal. Some examples of literals:

•1 is an unsigned integer literal (also a perfectly valid expression). It contains 4 bytes, the first three of which are zero, and the last of which contains a 1 in the least significant bit.

•01:02:03 is a blob literal containing three bytes, 01, 02, and 03.

•-10 is a signed integer literal containing four bytes with the twos-complement representation of decimal -10.

Expressions Return Typed Values

With few exceptions, the point of an expression is to return a value. The expression configured to determine a client-class is configured in the DHCP server property client-class-lookup-id. When this expression is evaluated, the DHCP server expects it to return a string containing the name of a client-class, or the string <none>.

Every function returns a value. The datatype of the value may depend on the datatype of the argument or arguments. Some expressions only accept arguments of a certain datatype; for example:

(+ argument0argument1)

In most cases, a function that requires a certain datatype for a particular argument tries to convert the argument that it gets to the proper datatype. For example, (+ "1" 2) returns 3, because it successfully converts the string literal "1" into a numeric 1. However, (+ "one" 2) causes an error, because "one" does not convert successfully into a number. In general, the expression evaluator tries to do the right thing as much as possible when making datatype conversion decisions.

Expressions Can Fail

While some of the functions that make up an expression operate correctly on any datatype or value, many do not. In the previous section, the + function would not convert the string literal "one" into a valid number, so the evaluation of that function failed. When a function fails to evaluate, its calling function also fails, and so on, until the entire expression fails. A failed expression evaluation has different consequences depending on the expression involved. In some cases, it can cause the packet to be dropped, while in others it only generates a warning message.

You can prevent the evaluation from failing by using the (tryexpressionfailure-expression) function. The try function evaluates the expression and, if successful, the value of the function is the value of the expression. If the evaluation fails (for whatever reason), the value of the function is the value of the failure-expression. The only situation where a try function itself fails is if the failure-expression evaluation fails. Thus, you should be careful what expression you define as a failure-expression. A string literal is a safe bet. Thus, protecting the evaluation of the client-class-lookup-id with a try function is a good idea. The previously cited example shows how this can work:

Arithmetic operations on a signed integer or an expression is convertible to a signed integer. Any argument that cannot convert to a signed integer (and is not null) returns an error. Any argument that evaluates to null is ignored (except that the first argument for - and / must not evaluate to null). These functions always return signed integers (note that overflow and underflow are currently not caught):

•+ sums the arguments; if no arguments, the result is 0.

•- negates the value of a single argument or, if multiple arguments, successively subtracts the values of the remaining ones from the first one; for example, (- 3 4 5) becomes -6.

•* takes the product of the argument values; if no arguments, the result is 1.

•/ successively divides the first argument by all of the others; for example, (/ 100 4 5) becomes 5. If any argument other than the first equals 0, an error is returned.

•% is the modulo arithmetic operator to determine the remainder of the result of the first argument divided by the second one; for example, (% 12 7) becomes 5 (12 / 7 = 1 * 7 + 5).

Returns a value that is the datatype of argn or null. It evaluates its arguments in order from left to right (the arguments can evaluate to a datatype). If any argument evaluates to null, it stops evaluating the arguments and returns null. Otherwise, it returns the value of the last argument, argn.

Treats expr as if it were a blob. If expr evaluates to a string, the bytes that make up the string become the bytes of the blob that is returned. If expr evaluates to a blob, that blob is returned unmodified. If expr evaluates to either kind of integer, a 4-byte blob containing the bytes of the integer is returned. (See Table 25-2.)

(as-sintexpr)

(as-sint ff:ff:ff:ff) returns -1

(as-sint 2147483648) returns an error

Treats expr as if it were a signed integer. If expr evaluates to a string or blob of 4 bytes or less, the function returns a signed integer constructed out of those bytes (if longer than 4 bytes, it returns an error). If expr evaluates to a signed integer, it returns the value unchanged; if an unsigned integer, it returns a signed integer with the same bit value. (See Table 25-2.)

(as-stringexpr)

(as-string 97) returns "a"

(as-string 68:65:6c:6c:6f:20:77:6f:72:6c:64) returns "hello world"

(as-string 0) returns an error.

Treats expr as if it were a string. If expr evaluates to a string, it returns that string. If expr evaluates to a blob, it returns a string constructed from the bytes in the blob, unless they are nonprintable ASCII values, which returns an error. If expr evaluates to an integer, it considers its value to be the ASCII value for a single character and returns a string consisting of that one character, unless it is nonprintable, which returns an error. (See Table 25-2.)

(as-uintexpr)

(as-uint -2147483648) returns the unsigned integer 2147483648

(as-uint -1) returns the unsigned integer 4294967295

(as-uint ff:ff:ff:ff) returns the unsigned integer4294967295

Treats expr as if it were an integer. If expr evaluates to a string or blob of 4 bytes or less, it returns an unsigned integer constructed from those bytes; if longer than 4 bytes, it returns an error. If the result is an unsigned integer, it returns the argument unchanged; if a signed integer, it returns an unsigned integer with the same bit value (see Table 25-2).

(ashexpr shift) (lshiftexpr shift)

(ash 00:01:00 1) returns the blob 00:02:00

(lshift 00:01:00 -1) returns the blob 00:00:80

(ash 1) returns the unsigned integer 2

Returns an integer or blob with the bits shifted by the shift amount. The expr can evaluate to an integer, blob or string. If expr evaluates to a string, this function tries to convert it to a signed integer, and if that fails, to a blob. If both fail, it returns an error. The shift must evaluate to something that is convertible to a signed integer. If shift is positive, the shift is to the left; if negative, the shift is to the right. If expr results in a signed integer, the right shift is with sign extension. If expr results in an unsigned integer or blob, a right shift shifts zero bits in on the most significant bits.

Return the result of a bit-wise boolean operation on the two arguments. The data type of the result is a signed integer if both arguments result in either kind of integer, otherwise the result is a blob. The arg1 and arg2 arguments must evaluate to two integers, two blobs of equal length, or one integer and one blob of length 4. If either argument evaluates to a string, the function tries to convert the string to a signed integer, and if that fails, to a blob. After this conversion, the results must match the criteria mentioned above. If these conditions are not met, it returns an error.

Operations with c1 and c2 indicate that the first and second arguments, respectively, are complemented before the operation.

(bit-notexpr)

(bit-not ff:ff) returns 00:00

(bit-not 1) returns 4294967295

(bit-not "hello world") returns an error

Returns a value that is the bit-by-bit complement of expr. The datatype of the result is the same as the result of evaluating expr and any subsequent conversions, if the result was a string. The expression must evaluate to an integer of either type, or a blob. If it evaluates to a string, the function tries to convert it to a signed integer; if that fails, to a blob, and if that fails, returns an error.

(bytearg1)

(byte 150) returns 0x96

(byte 0x96) returns 0x96

Eases creation of one-byte blobs. It returns this blob depending on the data type:

•sint, uint—Returns a low-order byte of type integer.

•blob—Returns the last byte in the blob.

•string—Returns the last bye in the string.

(commentcomment expr1... exprn)

(comment "this is a comment that won't get lost" (request option 82 1))

Inserts a comment string into an expression and returns the value of the last expression (exprn).

(concatarg1 ... argn)

(concat "hello " "world") returns "hello world"

(concat -1 "world") returns an error

(concat -1 00:01:02) returns the blob ff:ff:ff:ff:00:01:02

Concatenates the values of the arguments into a string or blob (ignoring null arguments). The first argument (arg1) must evaluate to a string or a blob; if it evaluates to an integer, the function converts it to a blob. The datatype of arg1 (after any conversion) determines the datatype of the result. The function converts all subsequent arguments to the datatype of the result, and if this conversion fails, returns an error.

(datatypeexpr)

Returns the datatype of the result of the expression (expr). If the expression cannot evaluate expr, it returns an error, otherwise it returns the datatype as a string, which can be:

Creates an environment with a single local integer variable, var, which is initially set to zero, and evaluates exp1 through expn. It then increments var by one, and if it is less than count-expr, evaluates exp1 through expn again. When var is equal to or greater than count-expr, the function evaluates result-expr and returns it as the result of the entire dotimes. If there is no result-expr, the function returns null.

The var defines a local variable, and must be an alphabetic name. The count-expr must evaluate to an integer or be convertible to one. The exp1 through expn are expressions that can evaluate to any data type. The result-expr is optional, and if it appears, it can evaluate to any data type. When the function evaluates count-expr, var is not bound and cannot appear in count-expr. Alternatively, var is bound for the evaluation of result-expr and has the value of count-expr. If result-expr is omitted, the function returns null.

Note Be careful changing the value of var in exp1 through expn, because you can easily create an infinite loop (see the example).

(environmentdictionary {get | putval | delete} attr)

nrcmd> dhcp set initial-environment-dictionary=first=one, second=2

(environmentdictionary get "first") returns "one"

(environmentdictionary get "second") returns "2" (note string 2)

(environmentdictionary put "two" "second") returns "second"

(environmentdictionary delete "first") returns null

Gets, puts, or deletes a DHCP extension environment dictionary attribute value. The val is the value of the attribute and attr is the attribute name. Both are converted to a string regardless of their initial datatype. The initial environment dictionary cannot be changed, but it can be shadowed (you can redefine something that is in the initial dictionary, but if you remove it, then the original initial value is still there). Note that the get keyword is not optional for a "get."

(equalexpr1 expr2 expr3)(equaliexpr1 expr2 expr3)

(equal (request option "dhcp-class-identifier") "docsis") returns the string "docsis" if the value of the option dhcp-class-identifier is a string identical to "docsis"

(equali "abc" "ABC") returns "ABC"

(equal "abc" "def") returns null

(equal "ab" (as-string 61:62)) "this is true") returns "this is true"

(equal "ab" 61:62 "this is not true") returns null

(equal 01:02:03 01:02:03) returns 01:02:03

(equal (as-blob "ab") 61:62) returns null

(equal 1 (to-blob 1)) returns null

(equal (null) (request option 20)) returns "*T*" if there is no option 20 in the packet

The equal function evaluates the equivalency of the result of evaluating expr1 and expr2. If they are equal, it returns:

1. The value of expr3, if specified, else

2. The value (and datatype, after possible string conversion) of expr2, as long as expr2 is not null, else

The arguments can be any datatype. If different, the function converts them to strings (which cannot fail) before comparing them. Note that any string conversion is performed using the equivalent of (to-string ...). Thus, the blob 61:62 is not equal to the "ab" string. Note also that a one-byte blob 01 is not equal to a literal integer 1 (both are converted to strings, and the "01" and "1" strings are not equal).

The equali function is identical to the equal function, except that if the comparison is for strings (either because string arguments were used or because the arguments were converted to strings), a case insensitive comparison is used.

(error)

Returns a "no recovery" error that causes the entire expression evaluation to fail unless there is a try function above the error function evaluation.

Evaluates the condition expression cond in an if-then-else sense. If cond evaluates to a value that is nonnull, it returns the result of evaluating the then argument; otherwise it returns the result of evaluating the else argument. Both then and else are optional arguments. If you omit the then and else arguments, the function simply returns the results of evaluating the cond argument. If you omit the else argument and cond evaluates to null, the function returns null. There are no restrictions on the data types of any of the three arguments.

(ip-stringblob)

(ip-string 01:02:03:04) returns "1.2.3.4"

(ip-string -1) returns "255.255.255.255"

(ip-string(as-blob "hello world") returns "104.101.108.108"

Returns the string representation of the four-byte IP address blob in the form "a.b.c.d". The single argument blob must evaluate to a blob or be convertible into one. If the blob exceeds four bytes, the function uses only the first four to create the IP address string. If the blob has fewer bytes, the function considers the right-most bytes as zero when it creates the IP address string.

Returns the string representation of a 16-byte IPv6 address blob in the form "a:b:c:d:e:f:g:h". The single argument blob must evaluate to a blob or be convertible into one. If the blob exceeds 16 bytes, the function uses only the first 16 to create the IPv6 address string. If the blob has fewer bytes, the function considers the right-most bytes as zero when it creates the IPv6 string.

(is-stringexpr)

(is-string 01:02:03:04) returns null

(is-string "hello world") returns "hello world"

(is-string 68:65:6c:6c:6f:20:77:6f:72:6c:64) returns the blob

Returns the value of expr, if the result of evaluating expr is a string or can be used as a string, this function, otherwise it returns null. That is, if as-string does not return an error, then is-string returns the value of expr.

(lengthexpr)

(length 1) returns 4

(length 01:02:03) returns 3

(length "hello world") returns 11

Returns an integer whose value is the length, in bytes, of the value of expr. The argument expr can evaluate to any datatype. Integers always have length 4. The length of a string does not include any zero byte that may terminate the string.

Creates an environment with local variables var1 through varn, which are initialized to a null value (you can give them other values by using the setq function). Once the local variables are initialized to null, the function evaluates expressions expr1 through exprn in order. It then returns the value of its last expression, exprn. The benefit of this function is that you can use it to calculate a value once, assign it to a local variable, then reuse that value in other expressions without having to recalculate it. Variables are case sensitive.

(logseverity expr)

Logs the result of converting expr to a string. The severity and expr must be a string and are converted to one if they do not evaluate to one. The severity can also be null; if a string, it must have one of these values:

"debug""activity" (the default if severity is null)"info""warning""error"

Note Logging consumes considerable server resources, so limit the number of log function evaluations you put in an expression. Even if "error" severity is logged, the log function does not return an error. This only tags the log message with an error indication. See the error function to return an error as part of a function evaluation.

(mask-blobmask-size length)

(mask-blob 1 4) yields 80:00:00:00

(mask-blob 4 2) yields f0:00

(mask-blob 31 4) yields ff:ff:ff:fe

Returns a blob that contains the mask of length mask-size starting from the high-order bit of the blob, with a blob length of length. The mask-size is an expression that evaluates to an integer or must be convertible to one. Likewise the length, which cannot be smaller than the mask-size, but has no fixed limit except that it must be zero or positive. If mask-size is less than zero, it denotes a mask length calculated from the right end of the blob.

(mask-intmask-size)

(mask-int 1) yields 0x80000000

(mask-int 4) yields 0xf0000000

(mask-int 31) yields 0xfffffffe

(mask-int -1) yields 0x00000001

Returns an integer mask of length mask-size bits starting from the high-order bit of the integer. The mask-size is an expression that evaluates to an integer or must be convertible to one. Any number over 32 is meaningless and is treated as though a value of 32 was used. If mask-size is less than zero, it denotes a mask length calculated from the right end of the integer.

(notexpr)

(not "hello world") returns null

Evaluates a string, blob, or integer expression to nonnull if it is null, and null if it is nonnull. The nonnull value returned when the value of expr is null is not guaranteed to remain the same over two calls.

(null [expr1 ... exprn])

Returns null and does not evaluate any of its arguments.

(orarg1 ... argn)(pick-first-valuearg1 ... argn)

(or (request option 82 1) (request option 82 2) 01:02:03:04) returns the value of sub-option 1 in option 82, and if that does not exist, returns the value of sub-option 2, and if that does not exist, returns 01:02:03:04

Evaluates the arguments sequentially. When evaluating an arg returns a nonnull value, the first nonnull argument value is returned. Otherwise, returns the value of the last argument, argn. The datatypes need not be the same.

(prognarg ... argn) (return-lastarg ... argn)

(progn (log (null) "I was here") (request option 82 1))

(return-last (log (null) "I was here") (request option 82 1))

Evaluates arguments sequentially and returns the value of the last argument, argn.

•get-blob—Returns the data as a blob, providing direct access to the option bytes.

•relay—Applies to IPv6 packets only, otherwise returns an error. Requests a relay option instead of a client option. The n indicates the nth closest relay agent to the client; if omitted, 0 (the relay agent nearest to the client) is assumed.

•option—Options are specified with the opt argument, which must evaluate to an integer or a string. If it does not evaluate to one of these, the function does not convert it and returns an error. Valid string values for the opt specifier are the same as those used for extensions.

•enterprise-id—After an option or suboption, and for DHCPv4 and DHCPv6, returns only the data bytes after the given enterprise-id in the packet, instead of the entire data of an option.

•vendor—After an option or suboption, requests that the vendor custom option definition be used for decoding the data in the option. Does not apply to DHCPv6 options. Note that if no definition exists for the specified vendor string, no error is issued and the standard definition of an option is used (or, if none, it is assumed to be a blob).

•instance—Selects the (n+1)th instance of the preceding option or suboption. Instances start at 0. (You cannot use the instance and instance-count together in a single request function.)

•instance-count—Returns the number of instances of the preceding option or suboption, and is usually used to loop through all instances of it.

•index—Selects the (n+1)th value in an option that contains multiple values. For example, index 0 returns the first value and index 1 returns the second value.

•count—Returns the number of relevant data items in the preceding option, and is usually used with the index keyword to loop through all data values for an option or suboption.

The only string-valued suboption names defined for the subopt (suboption) specifier are for the relay-agent-info option (82) and are:

1—"circuit-id"2—"remote-id"4—"device-class"5—"subnet-selection"6—"subscriber-id"7—"radius-attributes" (which includes the following encapsulated attributes that can be specified as subsuboptions: 1—"radius-user", 6—"radius-class", 88—"radius-framed-pool-name", 26—"radius-vendor-specific", 27—"radius-session-timeout", 100—"radius-framed-ipv6-pool")8—"authentication"9—"v-i-vendor-class"150—"cisco-subnet-selection"151—"cisco-vpn-id"152—"cisco-server-id-override"181—"vpn-id"182—"server-id-override"

The request option function returns a value with a datatype depending on the option requested. This shows how the datatypes in the table correspond to the datatypes returned by the request function:

(request get ciaddr) returns the ciaddr if it exists, otherwise returns null

(request ciaddr) is the same as (request get ciaddr)

(request giaddr)

Valid values for packetfield are:

op (blob 1)

htype (blob 1)

hlen (blob 1)

hops (blob 1)

xid (uint)

secs (uint)

flags (uint)

ciaddr (blob 4)

yiaddr (blob 4)

siaddr (blob 4)

giaddr (blob 4)

chaddr (blob hlen)

sname (string)

file (string)

The requestpacketfield function returns the value of the named field from the request packet. DHCP request packets contain named fields as well as options in an option area. This form of the request function is used to retrieve specific named fields from the request packet. The relay keyword is described in the earlier, more general request function.

The packetfield values defined in RFC 2131 are listed at the left. There are several packetfield values that can be requested which do not appear in exactly these ways in the raw DHCP packet. These take data that appears in the packet and combine it in commonly used ways. In these explanations, the packet contents assumed are:

The msg-type-name packet field returns a string of the message type name. The string value is always uppercase; for example, SOLICIT.

The xid is the 24-bit client transaction ID, and the relay-count is the number of relay messages in the request.

If a DHCPv6 packet field is requested from a DHCPv4 packet, an error is returned. The inverse is also true.

(request dump)

Dumps the current request packet to the log file, after the function evaluates the expression. Note that not all expression evaluations support the dump keyword, and when unsupported, it is ignored.

(requestdictionary {get | putval | delete} attr)

Gets, puts, or deletes a DHCP extension request dictionary attribute value, val is the value of the attribute and attr is the attribute name. Both are converted to a string regardless of their initial datatype. Note that the get keyword is not optional for a "get."

Returns the value of the option from the packet. The keywords are identical to those for the request function.

(response [get | get-blob] [relay [number]] packetfield)

Returns the value of the named packefield from the response packet. The description and valid values are identical to those for the requestpacketfield function.

(response dump)

Dumps the current response packet to the log file after the function evaluates the expression. Note that not all expression evaluations support the dump keyword, and when unsupported, it is ignored.

(responsedictionary {get | putval | delete} attr)

Gets, puts, or deletes a DHCP extension response dictionary attribute value. The val is the value of the attribute and attr is the attribute name. Both are converted to a string regardless of their initial datatype. Note that the get keyword is not optional for a "get."

(search arg1 arg2fromend)

(search "test" "this is a test") returns 9

(search "test" "this test test test" "true") returns 15

Searches arg1 for a subsequence in arg2 that exactly matches. If found, it returns the index of the element in arg2 where the subsequence begins (unless you set the fromend argument to "true" or some other arbitrary value); otherwise it returns null. (If arg1 is null, it returns 0; if arg2 is null, it returns null.) The function does an implicit as-blob conversion on both arguments. Thus, it compares the actual byte sequences of strings and blobs, and sints and uints become 4-byte blobs for the purpose of comparison.

A nonnull fromend argument returns the index of the leftmost element of the rightmost matching subsequence.

(setqvar expr)

see the let function for examples

Sets var to the value of expr. You must precede it with the let function.

(starts-withexpr prefix-expr)

(starts-with "abcdefghijklmnop" "abc") returns "abcdefghijklmnop"

(starts-with "abcdefgji" "bcd") returns null

(starts-with 01:02:03:04:05:06 01:02:03) returns 01:02:03:04:05:06

(starts-with "abcd" (as-string 61:62)) returns "abcd"

(starts-with "abcd" 61:62) returns null

(starts-with "abcd" (to-string 61:62)) returns null

Returns the value of expr if the prefix-expr value matches the beginning of expr, otherwise null. If prefix-expr is longer than expr, it returns null. The function returns an error if prefix-expr cannot be converted to the same datatype as expr (string or blob), or if expr evaluates to an integer. (See Table 25-2.)

(substringexpr offset len)

(substring "abcdefg" 0 6) returns bcdefg

(substring 01:02:03:04:05:06 3 2) returns 04:05

Returns len bytes of expression expr, starting at offset. The expr can be a string or blob; if an integer, converts to a blob. The result is a string or a blob, or null if any argument evaluates to null. If:

•offset is greater than the length len, the result is null.

•offset plus len is data beyond the end of expr, the function returns the rest of the data in expr.

•offset is less than zero, the offset is from the end of the data (the last character is index -1, because -0=0, which references the first character).

•This references data beyond the beginning of data, the offset is considered to be zero.

Generates a hostname based on the configured method (if none is specified), or the specified method and namestem.

The method argument can have the value configured to specify the configured method (thus allowing a namestem specification), default, or one of the v6-synthetic-name-generator enumeration values (if IPv6) of the DNS update configuration (hashed-duid, duid, cablelabs-device-id, or cablelabs-cm-mac-addr; see the "Generating Synthetic Names in DHCPv6" section on page 28-3).

•expr evaluates to a string it must be in "nn:nn:nn" format. This function returns a blob that is the result of converting the string to a blob.

•The function cannot convert the string to a blob, it returns an error.

•expr evaluates to a blob, it returns that blob.

•expr evaluates to an integer, it returns a four-byte blob representing the bytes of the integer in network order. (See Table 25-2.)

(to-ipexpr) (to-ip6expr)

Converts an expression as string, blob, or integer to an IP address.If:

•A string, it must be in dotted decimal IP address format for IPv4 or colon-formatted format for IPv6. Returns the blob IP address determined by parsing the string into an IP address.

•The result is a blob, itreturns the first bytes of the blob.

•The blob is less than four bytes, it pads the argument blob with zero bytes in the high order bytes.

•The result is an integer, it converts the integer (of either type) into a blob. Because the integers and blobs are in network order, no order change is required.

(to-lowerexpr)

Takes a string and produces a lowercase string from it. When using the client-lookup-id attribute to calculate a client-specifier to look up a client-entry in the MCD local store (as opposed to LDAP), the resulting string must be lowercase. Use this function to easily make the result of the client-lookup-id a lowercase string. You may or may not want to use this function when accessing LDAP using the client-lookup-id.

(to-sintexpr)

(to-sint "1") returns 1

(to-sint -1) returns -1

(to-sint 00:02) returns 2

(to-sint "00:02") returns an error

(to-sint "4294967295") returns an error

Converts an expression to a signed integer.

If expr evaluates to a string, it must be in a format that can be converted into a signed integer, else the function returns an error. If:

•expr evaluates to a blob of one to four bytes, the function returns it as a signed integer.

•expr evaluates to a blob of more than 4 bytes in length, it returns an error.

•expr evaluates to an unsigned integer, it returns a signed integer with the same value, unless the value of the unsigned integer was greater than the largest positive signed integer, in which case it returns an error.

•expr evaluates to a signed integer, it returns that value. (See Table 25-2.)

(to-stringexpr)

(to-string "hello world") returns "hello world"

(to-string -1) returns "-1"

(to-string 02:04:06) returns "02:04:06"

Converts an expression to a string. If expr evaluates to a string, it returns it; if a blob or integer, it returns its printable representation. It never returns an error if expr itself evaluates without error, because every value has a printable representation. (See Table 25-2.)

(to-uintexpr)

(to-uint "1") returns 1

(to-uint 00:02) returns 2

(to-uint "4294967295") returns 4294967295

(to-uint "00:02") returns an error

(to-uint -1) returns an error

Converts an expression to an unsigned integer. If

expr evaluates to a string, it must be in a format that can be converted into an unsigned integer, else the function returns an error. If:

•expr evaluates to a blob of one to four bytes, it returns it as an unsigned integer.

•expr evaluates to a blob of more than 4 bytes in length, it returns an error.

•expr evaluates to a signed integer, it returns an unsigned integer with the same value, unless the value of the signed integer less than zero, in which case it returns an error.

Takes as an argument an expression that evalutes to a sequence of bytes (either a string or a blob), and replaces various characters or bytes that appear in search with corresponding values (in the same position) in replace. If:

•expr is a string or blob, the value is left as it is, otherwise it is forced to be a string. If, after processing, expr is a string, search and replace must be strings.

•expr is a blob, both search and replace must also be blobs.

•replace is shorter than search, the bytes or characters in search that do not have corresponding bytes or characters in replace are dropped from the output.

•replace does not appear, all the bytes or characters in search are removed from expr.

Datatype Conversions

When a function needs an argument of a particular datatype, it tries to convert a value into that datatype. Sometimes this can fail, often causing the entire function to fail. Datatype conversion is also performed by the to-string, to-blob, to-sint, and to-uint functions. Whenever a function needs an argument in a specific datatype, it calls the internal version of these externally available functions.

There are also as-string, as-blob, as-sint, and as-uint conversion functions, where the data in a value are simply relabeled as the desired datatype, although some checking does go on. The conversion matrix for both function sets appears in Table 25-2.

Table 25-2 Datatype Conversion Matrix

Function

String

Blob

Signed Integer

Unsigned Integer

as-blob

Cannot fail; relabels ASCII characters as blob bytes.

—

Cannot fail;produces a 4-byte blob from the 4 bytes of the integer.

Cannot fail;produces a 4-byte blob from the 4 bytes of the integer.

as-sint

Not usually useful; converts a 1-, 2-, 3-, or 4-byte string to a blob and then packs it up into a signed integer.

Not usually useful; converts only 1-, 2-, 3-, or 4-byte blobs.

—

Cannot fail; converts to a signed integer, negative if a larger unsigned integer would fit into a positive signed integer.

as-string

—

Relabels as string bytes, if printable characters

Converts to a 4-byte blob, then processes it as a blob (which fails except for a few special integers)

Converts to a 4-byte blob, then processes as a blob (which fails except for a few special integers)

as-uint

Not usually useful; converts a 1-, 2-, 3-, or 4-byte string to a blob and then a signed integer.

Not usually useful; converts only 1-, 2-, 3-, or 4-byte blobs.

Cannot fail; converts to an unsigned integer, and a negative signed integer becomes a large unsigned integer.

—

to-blob

Must be in the form "01:02:03"

—

Cannot fail; produces a 4-byte blob from the 4 bytes of the integer.

Cannot fail; produces a 4-byte blob from the 4 bytes of the integer.

to-sint

Must be in the form n or -n.

1-, 2-, 3-, or 4-byte blobs only.

—

Converts only if it is not too big to fit into a signed integer.

to-string

—

Cannot fail

Cannot fail

Cannot fail

to-uint

Must be in the form n.

1-, 2-, 3-, or 4-byte blobs only.

Nonnegative only.

—

Expressions in the CLI

You must include the expression in a text file if you want to include it with a CLI attribute setting. The default path of this file is the current working directory. Do not enclose the expression in quotes. You can add comment lines prefixed by #, //, or ;. For example:

The server reads the file when processing the command. An example of a command to include this file is:

nrcmd> dhcp set client-class-lookup-id=@expressionfile1.txt

Note You must set the attribute to a file in the CLI. You cannot enter the expression directly in the equation.

Expression Examples

These examples provide the maximum support for option 82 processing. They set up clients to limit, those not to limit, and those that exceed configuration limits and should be assigned to an over-limit client-class. There are separate scopes and selection tags for each of the three classes of clients:

•Client-classes—limit, no-limit, and over-limit.

•Scopes—10.0.1.0 (primary), 10.0.2.0 and 10.0.3.0 (secondaries), named for their subnets.

•Selection tags—limit-tag, no-limit-tag, and over-limit-tag. The scopes are named for the address pools that they represent. The selection tags are allocated to the scopes with 10.0.1.0 getting limit-tag, 10.0.2.0 getting no-limit-tag, and 10.0.3.0 getting over-limit-tag.

See Also

Limitation Example 1: DOCSIS Cable Modem

The test is to determine whether the device is considered a DOCSIS cable modem, and limit the number of customer devices behind every cable modem. The limitation ID for the limit client-class is the cable modem MAC address, included in the remote-id suboption of the relay-agent-info option.

The expression for the client-class-lookup-id attribute on the server is:

// Expression to set client-class to no-limit or limit based on remote-id

(if (equal (request option "relay-agent-info" "remote-id")

(request chaddr))

"no-limit"

"limit")

The above expression indicates that if the contents of the remote-id suboption (2) of the relay-agent-info option is the same as the chaddr of the packet, then the client-class is no-limit, otherwise limit.

The limitation-id expression for the limit client-class is:

(request option "relay-agent-info" "remote-id")

Use this expression in the following steps:

Step 1 Define the client-classes.

Step 2 Define the scopes, their ranges and tags, and if they are primary or secondary. Note the host range for each scope, which is less likely to be misread than if they all have the same host number.

Step 3 Define the limitation count. It can go in the default policy; if the request does not show a limitation ID, the count is not checked.

Step 4 Add an expression in an expression file, cclookup1.txt, for the purpose:

// Expression to set limitation count based on remote-id

(if (equal (request option "relay-agent-info" "remote-id")

(request chaddr)) "no-limit" "limit")

Step 5 Refer to the expression file when setting the client-class lookup-id attribute on the server level.

Step 6 Add another expression for the limitation ID for the client in a cclimit1.txt file:

// Expression to set limitation ID based on remote-id

(request option "relay-agent-info" "remote-id")

Step 7 Refer to this expression file when setting the limitation-id attribute for the client-class.

Step 8 If in staged dhcp edit mode, reload the server.

The result of doing this for a previously unused configuration would be to put the first two DHCP clients with a common remote-id option 82 suboption value in the limit client-class. The third client with the same value would go in the over-limit client-class. There are no limits to the number of devices a subscriber can have in the no-limit client-class, because it has no configured limitation ID. Any device with a MAC address equal to the value of the remote-id suboption is ignored for the purposes of limitation, and goes in the no-limit client class, for which there is no limitation ID configured.

Limitation Example 2: Extended DOCSIS Cable Modem

This example is an extension to the example described in the "Limitation Example 1: DOCSIS Cable Modem" section. In the latter example, all of the cable modems allowed only two client devices beyond them, since a limitation count of two was defined for the default policy. In this example, specific cable-modems are configured to allow a different number of devices to be granted IP addresses from the scopes that use the limit-tag selection tag.

In this case, you need to explicitly configure any cable modem with more than two addresses behind it in the client-class database. This requires enabling client-class processing server-wide, so that you can look up the client entry for a cable modem in the Network Registrar or LDAP database. Not finding the cable modem limits the number of devices to two; finding it uses the limitation count from the policy configured for the cable modem.

This example requires just one additional policy, five, which allows five devices.

Step 1 Enable client-class processing server-wide.

Step 2 Create the five policy with a limitation count of five devices.

Step 3 As in the previous example, use an expression to set a limitation ID for the limit client-class. Put the limitation ID in a cclimit2.txt file, and the lookup ID in a cclookup2.txt file:

Step 5 Define some cable modem clients and apply the five policy to them.

Step 6 If in staged dhcp edit mode, reload the server.

Limitation Example 3: DSL over Asynchronous Transfer Mode

This example shows how to use expressions to configure Digital Subscriber Line (DSL) access for a subscriber to a service provider using asynchronous transfer mode (ATM) routed bridge encapsulation (RBE). Service providers are increasingly using ATM RBE to configure a DSL subscriber. The DHCP Option 82 support for routed bridge encapsulation feature as of Cisco IOS Release 12.2(2)T enables those service providers to use DHCP to assign IP addresses and option 82 to implement security and IP address assignment policies.

In this scenario, DSL subscribers are identified as individual ATM subinterfaces on a Cisco 7401ASR router. Each customer has their own subinterface in the router and each subinterface has its own virtual channel identifier (VCI) and virtual path identifier (VPI) to identify the next destination of an ATM cell as it passes through ATM switches. The 7401ASR router routes up to a Cisco 7206 gateway router.

Step 1 Set up the DHCP server and interfaces for the router using IOS. This is a typical IOS configuration:

Router#ip dhcp-server 170.16.1.2

Router#interface Loopback0

Loopback0(config)#ip address 11.1.1.129 255.255.255.192

Loopback0(config)#exit

Router#interface ATM4/0

ATM4/0(config)#no ip address

ATM4/0(config)#exit

Router#interface ATM4/0.1 point-to-point

ATM4/0.1(config)#ip unnumbered Loopback0

ATM4/0.1(config)#ip helper-address 170.16.1.2

ATM4/0.1(config)#atm route-bridged ip

ATM4/0.1(config)#pvc 88/800

ATM4/0.1(config)#encapsulation aal5snap

ATM4/0.1(config)#exit

Router#interface Ethernet5/1

Ethernet5/1(config)#ip address 170.16.1.1 255.255.0.0

Ethernet5/1(config)#exit

Router#router eigrp 100

eigrp(config)#network 11.0.0.0

eigrp(config)#network 170.16.0.0

eigrp(config)#exit

Step 2 In IOS, enable the system to insert the DHCP option 82 data in forwarded BOOTREQUEST messages to a Cisco IOS DHCP server:

Router#ip dhcp relay information option

Step 3 In IOS, specify the IP address of the loopback interface on the DHCP relay agent that is sent to the DHCP server using the option 82 remote-id suboption (2):

Step 6 Put the packets in the right client-class. All the packets should be in the limit client-class. Create a lookup file containing just the value limit, then set the client-class lookup ID. In the cclookup3.txt file:

// Sets client-class to limit

"limit"

Step 7 Use an expression to ensure that those packets that are limited have the right limitation ID. Put the expression in a file and refer to that file to set the limitation ID. The substring function gets the VPI/VCI by extracting bytes 10 through 12 of the option 82 suboption 2 (remote-id) data field. In the cclimit3.txt file:

// Sets limitation ID

(substring (request option 82 2) 9 3)

Step 8 If in staged dhcp edit mode, reload the server.

Debugging Expressions

If you are having trouble with expressions, examine the DHCP log file at server startup. The expression is printed in such a way as to clarify the nesting of functions, and can help in confirming your intentions. Pay special attention to the equal function and any datatype conversions of arguments. If the arguments are not the same datatype, they are converted to strings using code similar to the to-string function.

You can set various debug levels for expressions by using the expression-trace-level attribute for the DHCP server. All executed expressions are traced to the degree set by the attribute. The highest trace level is 10. If you set the level to at least 2, any nonworking expression is retried again at level 10.

The trace levels for expression-trace-level are (use the number value):

•0—No tracing

•1—Failures, including those protected by (try ...)

•2—Total failure retries (with trace level = 6 for retry)

•3—Function calls and returns

•4—Function arguments evaluated

•5—Print function arguments

•6—Datatype conversions (everything)

The trace levels for expression-configuration-trace-level are (use the number value):

•0—No additional tracing

•1—No additional tracing

•2—Failure retry (the default)

•3—Function definitions

•4—Function arguments

•5—Variable lookups and literal details

•6—Everything

To trace expressions you have trouble configuring, there is also an expression-configuration-trace-level attribute that you can set to any level from 1 through 10. If you set the level to at least a 2, any expression that does not configure is retried again with the level set to 6. Gaps in the numbering are to accommodate future level additions.